Security Assessment Polylastic

Security Assessment

Polylastic - Airdrop and Token Swap

May 21st, 2021 Polylastic - Airdrop and Token Swap Security Assessment

Table of Contents

Summary

Overview Project Summary Audit Summary Vulnerability Summary Audit Scope

Findings AIR-01 : Unlocked Compiler Version AIR-02 : Library ÈCDSA` is attached with any data type AIR-03 : Mutability Specifiers Missing AIR-04 : Redundant Statements AIR-05 : Lack of validation for constructor parameter AIR-06 : Comparison with boolean literal AIR-07 : Unchecked Value of ERC-20 `transfer()`/`transferFrom()` Call AIR-08 : Possibility of reentrancy attack AIR-09 : SPDX license identifier not provided TSP-01 : Unlocked Compiler Version TSP-02 : Library `SafeMath` is attached with any data type TSP-03 : Mutability Specifiers Missing TSP-04 : Lack of validation for constructor parameter TSP-05 : Unchecked Value of ERC-20 `transfer()` Call TSP-06 : Inexistent Error Messages TSP-07 : Token amount is not validated against zero TSP-08 : Token amount is not validated against zero TSP-09 : SPDX license identifier not provided TSP-10 : Unchecked Value of ERC-20 `transfer()` Call

Formal Veriﬁcation Requests

Appendix

Disclaimer

About Polylastic - Airdrop and Token Swap Security Assessment

Summary

This report has been prepared for Polylastic - Airdrop and Token Swap smart contracts, to discover issues and vulnerabilities in the source code of their Smart Contract as well as any contract dependencies that were not part of an oﬃcially recognized library. A comprehensive examination has been performed, utilizing Static Analysis and Manual Review techniques.

The auditing process pays special attention to the following considerations:

Testing the smart contracts against both common and uncommon attack vectors. Assessing the codebase to ensure compliance with current best practices and industry standards. Ensuring contract logic meets the speciﬁcations and intentions of the client. Cross referencing contract structure and implementation against similar smart contracts produced by industry leaders. Thorough line-by-line manual review of the entire codebase by industry experts.

The security assessment resulted in ﬁndings that ranged from critical to informational. We recommend addressing these ﬁndings to ensure a high level of security standards and industry practices. We suggest recommendations that could better serve the project from the security perspective:

Enhance general coding practices for better structures of source codes; Add enough unit tests to cover the possible use cases given they are currently missing in the repository; Provide more comments per each function for readability, especially contracts are veriﬁed in public; Provide more transparency on privileged activities once the protocol is live.

Majority of the findings are of informational nature with four minor and one medium findings. Minor findings comprise the lack of validation of constructor parameters and unchecked values of tokens transfers while the medium finding relates to the possibility of reentrancy attack. Polylastic - Airdrop and Token Swap Security Assessment

Overview

Project Summary

Project Name Polylastic - Airdrop and Token Swap

The audited contracts comprise Airdrop and TokenSwap contracts. Airdrop contract Description airdrops tokens to all the users using a signature and TokenSwap contracts allows users to send their old POLX tokens and get the new one in 1:1 ratio.

Platform Ethereum

Language Solidity

Codebase https://github.com/polylastic/smart-contracts

1. 616d4cd3f6d3d7807e50e61c595001f24dfd7828 Commits 2. 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3

Audit Summary

Delivery Date May 21, 2021

Audit Methodology Static Analysis, Manual Review

Key Components

Vulnerability Summary

Total Issues 19

Critical 0

Major 0

Medium 1

Minor 5

Informational 13

Discussion 0 Polylastic - Airdrop and Token Swap Security Assessment

Audit Scope

ID ﬁle SHA256 Checksum

AIR Airdrop.sol ddb779ecabe78745e8e9b717d8c0d6598074eb667347f499e6db6f85df1407e1

TSP TokenSwapPortal.sol 0e36fc9851d1850eﬀ69a81e097d62b9635d04ab639846d1e2b3e10ce25e75a6 Polylastic - Airdrop and Token Swap Security Assessment

Findings

Critical 0 (0.00%) Major 0 (0.00%) 19 Medium 1 (5.26%) Minor 5 (26.32%) Total Issues Informational 13 (68.42%) Discussion 0 (0.00%)

ID Title Category Severity Status

Language AIR-01 Unlocked Compiler Version Informational Resolved Speciﬁc

Language AIR-02 Library ECDSA is attached with any data type Informational Resolved Speciﬁc

Gas AIR-03 Mutability Speciﬁers Missing Informational Declined Optimization

AIR-04 Redundant Statements Inconsistency Informational Resolved

AIR-05 Lack of validation for constructor parameter Logical Issue Minor Resolved

Gas AIR-06 Comparison with boolean literal Informational Resolved Optimization

Unchecked Value of ERC-20 AIR-07 Volatile Code Minor Resolved transfer() / transferFrom() Call

AIR-08 Possibility of reentrancy attack Volatile Code Medium Resolved

Language AIR-09 SPDX license identiﬁer not provided Informational Declined Speciﬁc

Language TSP-01 Unlocked Compiler Version Informational Resolved Speciﬁc

Language TSP-02 Library SafeMath is attached with any data type Informational Resolved Speciﬁc Polylastic - Airdrop and Token Swap Security Assessment

ID Title Category Severity Status

Gas TSP-03 Mutability Speciﬁers Missing Informational Declined Optimization

TSP-04 Lack of validation for constructor parameter Logical Issue Minor Resolved

TSP-05 Unchecked Value of ERC-20 transfer() Call Volatile Code Minor Resolved

TSP-06 Inexistent Error Messages Coding Style Informational Resolved

TSP-07 Token amount is not validated against zero Volatile Code Informational Resolved

TSP-08 Token amount is not validated against zero Volatile Code Informational Declined

Language TSP-09 SPDX license identiﬁer not provided Informational Declined Speciﬁc

TSP-10 Unchecked Value of ERC-20 transfer() Call Volatile Code Minor Resolved Polylastic - Airdrop and Token Swap Security Assessment

AIR-01 | Unlocked Compiler Version

Category Severity Location Status

Language Speciﬁc Informational Airdrop.sol: 1 Resolved

Description

The contract has unlocked compiler version. An unlocked compiler version in the source code of the contract permits the user to compile it at or above a particular version. This, in turn, leads to differences in the generated bytecode between compilations due to differing compiler version numbers. This can lead to an ambiguity when debugging as compiler specific bugs may occur in the codebase that would be hard to identify over a span of multiple compiler versions rather than a specific one.

Recommendation

We advise that the compiler version is instead locked at the lowest version possible that the contract can be compiled at. For example, for ^0.6.12 , the version can be locked at 0.6.12 .

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

AIR-02 | Library ECDSA is attached with any data type

Category Severity Location Status

Language Speciﬁc Informational Airdrop.sol: 8 Resolved

Description

The aforementioned line attaches ECDSA library with any data type yet the library is declared to work with bytes32 data type and is used with the bytes32 type variables in the codebase.

Recommendation

We recommend to explicitly attach the library ECDSA only with the data type bytes32 to increase the legibility of the codebase.

using ECDSA for bytes32;

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

AIR-03 | Mutability Specifiers Missing

Category Severity Location Status

Gas Optimization Informational Airdrop.sol: 10, 12, 13 Declined

Description

The linked variables are assigned to only once, either during their contract-level declaration or during the constructor 's execution.

Recommendation

For the former, we advise that the constant keyword is introduced in the variable declaration to greatly optimize the gas cost involved in utilizing the variable. For the latter, we advise that the immutable mutability speciﬁer is set at the variable's contract-level declaration to greatly optimize the gas cost of utilizing the variables. Please note that the immutable keyword only works in Solidity versions v0.6.5 and up.

Alleviation

No alleviations. Polylastic - Airdrop and Token Swap Security Assessment

AIR-04 | Redundant Statements

Category Severity Location Status

Inconsistency Informational Airdrop.sol: 14 Resolved

Description

The linked statements do not aﬀect the functionality of the codebase and appear to be either leftovers from test code or older functionality.

Recommendation

We advise that they are removed to better prepare the code for production environments.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 by utilizing the variable in code. Polylastic - Airdrop and Token Swap Security Assessment

AIR-05 | Lack of validation for constructor parameter

Category Severity Location Status

Logical Issue Minor Airdrop.sol: 20 Resolved

Description

The parameters of constructor on the aforementioned line are used to initialize the state of variables of contract and yet not validated against zero value. As the initialized state variables of the contract cannot be changed later, it can result in unwanted state of the contract.

Recommendation

We recommend to validate the address type constructor parameters on the aforementioned lines against zero address value for the address type variables and against integer zero for unsigned integer type variable.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

AIR-06 | Comparison with boolean literal

Category Severity Location Status

Gas Optimization Informational Airdrop.sol: 29, 30 Resolved

Description

The aforementioned lines perform comparison with boolean literal which can substituted with either with the expression or the negation of the expression to save gas cost.

Recommendation

We advise to substitute the comparison with boolean literal on L29 with the expression itself and on L30 with the negation of the expression.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

AIR-07 | Unchecked Value of ERC-20 transfer() / transferFrom() Call

Category Severity Location Status

Volatile Code Minor Airdrop.sol: 32 Resolved

Description

The linked transfer() / transferFrom() invocations do not check the return value of the function call which should yield a true result in case of a proper ERC-20 implementation.

Recommendation

As many tokens do not follow the ERC-20 standard faithfully, they may not return a bool variable in this function's execution meaning that simply expecting it can cause incompatibility with these types of tokens.

Instead, we advise that OpenZeppelin's SafeERC20.sol implementation is utilized for interacting with the transfer() and transferFrom() functions of ERC-20 tokens. The OZ implementation optionally checks for a return value rendering compatible with all ERC-20 token implementations.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 by explicitly checking the return value of transfer function. Polylastic - Airdrop and Token Swap Security Assessment

AIR-08 | Possibility of reentrancy attack

Category Severity Location Status

Volatile Code Medium Airdrop.sol: 32, 35 Resolved

Description

The aforementioned line performs transfer of airdrop tokens to the user. An ERC20 and ERC777 implementations, such as tokens like imBTC can inform the recipient of token transfer with callback call thus leading to re-entrancy possibility. If the function is re-entered then the msg.sender is able to drain all the airdrop tokens balance of the contract as the claimed status of the user is set to true after the transfer call.

Recommendation

We advise to update the claimed status of the user to true before the transfer call, so any re-entry attempt is reverted by the function.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

AIR-09 | SPDX license identifier not provided

Category Severity Location Status

Language Speciﬁc Informational Airdrop.sol: 1 Declined

Description

The source ﬁle does not specify SPDX license identiﬁer.

Recommendation

Consider adding the SPDX license identiﬁer before deployment

Alleviation

No alleviation. Polylastic - Airdrop and Token Swap Security Assessment

TSP-01 | Unlocked Compiler Version

Category Severity Location Status

Language Speciﬁc Informational TokenSwapPortal.sol: 1 Resolved

Description

Recommendation

We advise that the compiler version is instead locked at the lowest version possible that the contract can be compiled at. For example, for ^0.6.12 , the version can be locked at 0.6.12 .

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

TSP-02 | Library SafeMath is attached with any data type

Category Severity Location Status

Language Speciﬁc Informational TokenSwapPortal.sol: 9 Resolved

Description

The aforementioned line attaches SafeMath library with any data type yet the library is declared to work with uint256 data type and is used with the uint256 type variables in the codebase.

Recommendation

We recommend to explicitly attach the library SafeMath only with the data type uint256 to increase the legibility of the codebase.

using SafeMath for uint256;

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

TSP-03 | Mutability Specifiers Missing

Category Severity Location Status

Gas Optimization Informational TokenSwapPortal.sol: 11, 13, 15 Declined

Description

The linked variables are assigned to only once, either during their contract-level declaration or during the constructor 's execution.

Recommendation

Alleviation

No alleviations. Polylastic - Airdrop and Token Swap Security Assessment

TSP-04 | Lack of validation for constructor parameter

Category Severity Location Status

Logical Issue Minor TokenSwapPortal.sol: 19 Resolved

Description

The address type parameters of constructor on the aforementioned line are used to initialize the state of variables of contract and yet not validated against zero address value. As the initialized state variables of the contract cannot be changed later, it can result in unwanted state of the contract.

Recommendation

We recommend to validate the address type constructor parameters on the aforementioned lines against zero address value.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

TSP-05 | Unchecked Value of ERC-20 transfer() Call

Category Severity Location Status

Volatile Code Minor TokenSwapPortal.sol: 33, 44 Resolved

Description

The linked transfer() invocations do not check the return value of the function call which should yield a true result in case of a proper ERC-20 implementation.

Recommendation

Instead, we advise that OpenZeppelin's SafeERC20.sol implementation is utilized for interacting with the transfer() function of ERC-20 tokens. The OZ implementation optionally checks for a return value rendering compatible with all ERC-20 token implementations.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 by explicitly checking the return value of transfer operations. Polylastic - Airdrop and Token Swap Security Assessment

TSP-06 | Inexistent Error Messages

Category Severity Location Status

Coding Style Informational TokenSwapPortal.sol: 42, 43 Resolved

Description

The linked require checks do not contain any error message speciﬁed.

Recommendation

We advise the error messages of these checks to be set to properly illustrate what the conditionals within evaluate.

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

TSP-07 | Token amount is not validated against zero

Category Severity Location Status

Volatile Code Informational TokenSwapPortal.sol: 31 Resolved

Description

The token amount on the aforementioned line is used in ERC-20 transfers and yet it is not validated against zero.

Recommendation

Consider adding a requirement that the sender’s balance amount should be non-zero after line L31 .

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 . Polylastic - Airdrop and Token Swap Security Assessment

TSP-08 | Token amount is not validated against zero

Category Severity Location Status

Volatile Code Informational TokenSwapPortal.sol: 39 Declined

Description

The token amount on the aforementioned line is used in ERC-20 transfers and yet it is not validated against zero.

Recommendation

Consider adding a requirement that the value of the supplied amount parameter should be non-zero.

Alleviation

No alleviations. Polylastic - Airdrop and Token Swap Security Assessment

TSP-09 | SPDX license identifier not provided

Category Severity Location Status

Language Speciﬁc Informational TokenSwapPortal.sol: 1 Declined

Description

The source ﬁle does not specify SPDX license identiﬁer.

Recommendation

Consider adding the SPDX license identiﬁer before deployment.

Alleviation

No alleviations. Polylastic - Airdrop and Token Swap Security Assessment

TSP-10 | Unchecked Value of ERC-20 transfer() Call

Category Severity Location Status

Volatile Code Minor TokenSwapPortal.sol: 32 Resolved

Description

The linked transfer() invocations do not check the return value of the function call which should yield a true result in case of a proper ERC-20 implementation.

Recommendation

Alleviation

Alleviations are applied as of commit hash 23cba73f8bcdb704b74b1dd20bb36e0f06909cf3 by explicitly checking return value of transferFrom function. Polylastic - Airdrop and Token Swap Security Assessment

Appendix

Finding Categories

Gas Optimization

Gas Optimization findings do not affect the functionality of the code but generate different, more optimal EVM opcodes resulting in a reduction on the total gas cost of a transaction.

Logical Issue

Logical Issue ﬁndings detail a fault in the logic of the linked code, such as an incorrect notion on how block.timestamp works.

Volatile Code

Volatile Code ﬁndings refer to segments of code that behave unexpectedly on certain edge cases that may result in a vulnerability.

Language Specific

Language Speciﬁc ﬁndings are issues that would only arise within Solidity, i.e. incorrect usage of private or delete.

Coding Style

Coding Style ﬁndings usually do not aﬀect the generated byte-code but rather comment on how to make the codebase more legible and, as a result, easily maintainable.

Inconsistency

Inconsistency findings refer to functions that should seemingly behave similarly yet contain different code, such as a constructor assignment imposing different require statements on the input variables than a setter function.

Checksum Calculation Method

The "Checksum" field in the "Audit Scope" section is calculated as the SHA-256 (Secure Hash Algorithm 2 with digest size of 256 bits) digest of the content of each file hosted in the listed source repository under the specified commit. Polylastic - Airdrop and Token Swap Security Assessment

The result is hexadecimal encoded and is the same as the output of the Linux "sha256sum" command against the target ﬁle. Polylastic - Airdrop and Token Swap Security Assessment

Disclaimer

This report is subject to the terms and conditions (including without limitation, description of services, conﬁdentiality, disclaimer and limitation of liability) set forth in the Services Agreement, or the scope of services, and terms and conditions provided to the Company in connection with the Agreement. This report provided in connection with the Services set forth in the Agreement shall be used by the Company only to the extent permitted under the terms and conditions set forth in the Agreement. This report may not be transmitted, disclosed, referred to or relied upon by any person for any purposes without CertiK’s prior written consent.

This report is not, nor should be considered, an “endorsement” or “disapproval” of any particular project or team. This report is not, nor should be considered, an indication of the economics or value of any “product” or “asset” created by any team or project that contracts CertiK to perform a security assessment. This report does not provide any warranty or guarantee regarding the absolute bug-free nature of the technology analyzed, nor do they provide any indication of the technologies proprietors, business, business model or legal compliance.

This report should not be used in any way to make decisions around investment or involvement with any particular project. This report in no way provides investment advice, nor should be leveraged as investment advice of any sort. This report represents an extensive assessing process intending to help our customers increase the quality of their code while reducing the high level of risk presented by cryptographic tokens and blockchain technology.

Blockchain technology and cryptographic assets present a high level of ongoing risk. CertiK’s position is that each company and individual are responsible for their own due diligence and continuous security. CertiK’s goal is to help reduce the attack vectors and the high level of variance associated with utilizing new and consistently changing technologies, and in no way claims any guarantee of security or functionality of the technology we agree to analyze. Polylastic - Airdrop and Token Swap Security Assessment

About

Founded in 2017 by leading academics in the ﬁeld of Computer Science from both Yale and Columbia University, CertiK is a leading blockchain security company that serves to verify the security and correctness of smart contracts and blockchain-based protocols. Through the utilization of our world-class technical expertise, alongside our proprietary, innovative tech, we’re able to support the success of our clients with best-in-class security, all whilst realizing our overarching vision; provable trust for all throughout all facets of blockchain.